Package com.google.cloud.hadoop.fs.gcs.auth

Class AbstractDelegationTokenBinding

  • All Implemented Interfaces:
    Closeable, AutoCloseable, org.apache.hadoop.service.Service
    public abstract class AbstractDelegationTokenBinding
extends org.apache.hadoop.service.AbstractService
    Binds file system with service and access token provider

    • Nested Class Summary

      Nested Classes 
      Modifier and Type Class Description
      protected class  AbstractDelegationTokenBinding.TokenSecretManager
      The secret manager always uses the same secret; the factory for new identifiers is that of the token manager.

      • Nested classes/interfaces inherited from interface org.apache.hadoop.service.Service

        org.apache.hadoop.service.Service.STATE

    • Field Summary

      Fields 
      Modifier and Type Field Description
      protected org.apache.hadoop.security.token.SecretManager<org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier> secretManager  

    • Method Summary

      All Methods Instance Methods Abstract Methods Concrete Methods 
      Modifier and Type Method Description
      void bindToFileSystem​(GoogleHadoopFileSystem fileSystem, org.apache.hadoop.io.Text service)
      Bind to the filesystem.
      abstract AccessTokenProvider bindToTokenIdentifier​(org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier retrievedIdentifier)
      Bind to the token identifier, returning the credentials providers to use for the owner to talk to GCP services.
      protected <T extends org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier>
      T      		 convertTokenIdentifier​(org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier identifier, Class<T> expectedClass)
      Verify that a token identifier is of a specific class.
      org.apache.hadoop.security.token.Token<org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier> createDelegationToken​(String renewer, DelegationTokenStatistics stats)
      Create a delegation token for the user.
      abstract org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier createEmptyIdentifier()
      Create a new "empty" token identifier.
      abstract org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier createTokenIdentifier()
      Create a token identifier with all the information needed to be included in a delegation token.
      abstract org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier createTokenIdentifier​(org.apache.hadoop.io.Text renewer)
      Create a token identifier with all the information needed to be included in a delegation token.
      abstract AccessTokenProvider deployUnbonded()
      Perform any actions when deploying unbonded, and return a list of credentials providers.
      GoogleHadoopFileSystem getFileSystem()
      Returns the bound file system
      org.apache.hadoop.io.Text getKind()  
      org.apache.hadoop.io.Text getService()  

      • Methods inherited from class org.apache.hadoop.service.AbstractService

        close, getBlockers, getConfig, getFailureCause, getFailureState, getLifecycleHistory, getName, getServiceState, getStartTime, init, isInState, noteFailure, putBlocker, registerGlobalListener, registerServiceListener, removeBlocker, serviceInit, serviceStart, serviceStop, setConfig, start, stop, toString, unregisterGlobalListener, unregisterServiceListener, waitForServiceToStop

    • Field Detail

      • secretManager

        protected org.apache.hadoop.security.token.SecretManager<org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier> secretManager

    • Constructor Detail

      • AbstractDelegationTokenBinding

        protected AbstractDelegationTokenBinding​(org.apache.hadoop.io.Text kind)

      • AbstractDelegationTokenBinding

        protected AbstractDelegationTokenBinding​(String name,
                                         org.apache.hadoop.io.Text kind)

    • Method Detail

      • getKind

        public org.apache.hadoop.io.Text getKind()

      • getService

        public org.apache.hadoop.io.Text getService()

      • deployUnbonded

        public abstract AccessTokenProvider deployUnbonded()
                                            throws IOException
        Perform any actions when deploying unbonded, and return a list of credentials providers.
        Throws:
        IOException - any failure.

      • bindToTokenIdentifier

        public abstract AccessTokenProvider bindToTokenIdentifier​(org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier retrievedIdentifier)
                                                   throws IOException
        Bind to the token identifier, returning the credentials providers to use for the owner to talk to GCP services.
        Parameters:
        retrievedIdentifier - the unmarshalled data
        Returns:
        non-empty list of GCP credentials providers to use for authenticating this client with GCP services.
        Throws:
        IOException - any failure.

      • bindToFileSystem

        public void bindToFileSystem​(GoogleHadoopFileSystem fileSystem,
                             org.apache.hadoop.io.Text service)
        Bind to the filesystem. Subclasses can use this to perform their own binding operations - but they must always call their superclass implementation. This Must be called before calling init().

        Important: This binding will happen during FileSystem.initialize(); the FS is not live for actual use and will not yet have interacted with GCS services.

        Parameters:
        fileSystem - owning FS.
        service - name of the service (i.e. bucket name) for the FS.

      • createDelegationToken

        public org.apache.hadoop.security.token.Token<org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier> createDelegationToken​(String renewer,
                                                                                                                                               DelegationTokenStatistics stats)
                                                                                                                                        throws IOException
        Create a delegation token for the user. This will only be called if a new DT is needed, that is: the filesystem has been deployed unbound.
        Returns:
        the token
        Throws:
        IOException - if one cannot be created

      • createTokenIdentifier

        public abstract org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier createTokenIdentifier​(org.apache.hadoop.io.Text renewer)
                                                                                                         throws IOException
        Create a token identifier with all the information needed to be included in a delegation token. This is where session credentials need to be extracted, etc. This will only be called if a new DT is needed, that is: the filesystem has been deployed unbound.

        If createDelegationToken(java.lang.String, com.google.cloud.hadoop.fs.gcs.DelegationTokenStatistics) is overridden, this method can be replaced with a stub.

        Returns:
        the token data to include in the token identifier.
        Throws:
        IOException - failure creating the token data.

      • createTokenIdentifier

        public abstract org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier createTokenIdentifier()
                                                                                                         throws IOException
        Create a token identifier with all the information needed to be included in a delegation token. This is where session credentials need to be extracted, etc. This will only be called if a new DT is needed, that is: the filesystem has been deployed unbound.

        If createDelegationToken(java.lang.String, com.google.cloud.hadoop.fs.gcs.DelegationTokenStatistics) is overridden, this method can be replaced with a stub.

        Returns:
        the token data to include in the token identifier.
        Throws:
        IOException - failure creating the token data.

      • createEmptyIdentifier

        public abstract org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier createEmptyIdentifier()
        Create a new "empty" token identifier. It is used by the "dummy" SecretManager, which requires a token identifier (even one that's not real) to satisfy the contract.
        Returns:
        an empty identifier.

      • convertTokenIdentifier

        protected <T extends org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier> T convertTokenIdentifier​(org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier identifier,
                                                                                                                         Class<T> expectedClass)
                                                                                                                  throws DelegationTokenIOException
        Verify that a token identifier is of a specific class. This will reject subclasses (i.e. it is stricter than instanceof, then cast it to that type.
        Parameters:
        identifier - identifier to validate
        expectedClass - class of the expected token identifier.
        Throws:
        DelegationTokenIOException - If the wrong class was found.